Silly Bank Password Policies

Ever since online banking was first introduced more than 15 years ago, security of financial data has been a concern. And as hackers have become increasingly sophisticated at stealing information, banks have been forced to continually develop new ways to stop them.

Although many of the advances in security technology are needed, some policies surrounding passwords have increasingly become a pain in the neck for consumers. And now, a new study from researchers at Microsoft concludes that some of these annoying security protocols don’t even reduce fraud anyway.

There are two password policies in particular that the report concludes are unnecessary:

The first is requiring consumers to frequently change their passwords. Supposedly many banks have this policy because it limits the amount of time a compromised password can be used and thus cuts downs on fraudulent activity. However, since stolen login info generally is used quickly, the chance of the policy working is "as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," according to one of the researchers speaking with The Boston Globe.

The second policy that researchers call unnecessary is requiring "strong" passwords, ones that are a certain minimum length and include a variety of characters like uppercase letters, numbers, and sometimes even symbols. Many banks have this requirement to make it harder for hackers to guess passwords. But the researchers have concluded that there are better ways to protect against guessing hackers, such as cutting off access if someone fails to login more than three times. And strong passwords don’t protect against phishing attacks or keystroke-stealing spyware, the most typical ways hackers get passwords.

There is even an argument that both of these security policies make consumers LESS safe. As passwords are frequently changed or become unusually long, they become harder to remember which forces people to write them down or store them on their computer, making them more likely to be compromised than if they were just in the person’s head.

Thus, we at BankFox hope that banks take heed of this research, and allow consumers to use easy-to-remember passwords that don’t need to change all the time.

We hope that instead, banks spend their security resources preventing larger breaches. For instance, all the password changes in the world wouldn’t have stopped an employee of Rocky Mountain Bank from accidentally emailing thousands of customer records to a misspelled gmail account, nor would it have prevented Bank of America from losing personal information on more than a million of its customers.

Banks are susceptible to sophisticated attacks, but as shown by the above situations, security breaches can also come from poor internal management and policies. We hope that banks are smart about their security processes and don’t unnecessarily subject their customers to annoying time wastes if they don’t create any additional protection.